[Snort-sigs] I have a question to ask
chanhung at ...3220...
Wed May 10 23:28:02 EDT 2006
Dear all mailing list members：
I study in Cheng Kung University that located in Taiwan. I want to research snort rules about rules classification and have two questions to ask for advice.
1. I look up snort rules that have a file named classification.conf, and it has thirty four class-types. I classify them into five types that I named by myself but I do not confirm that thirty four class-types mapping to five types are correct. Five types are exploration, break in, escalation, DOS and error message and those types are needed to me. Could you give me some advices that which type is located a wrong position (eg. “kickass-porn” is not exploration and it is another type).
2. The other question is that there are 1 to 4 original priorities in the “classification.config” ,but I want to classify these class-types such as 1 ~ 6 levels. How can I classify priorities more in detail ? Or which documents can I research in ?
Extremely thx for your help. Erci Chen
Someone wants to explore weakness or just scan the host to get some information.
2. break in：
Attacker uses some tools or techniques to break in victim host.
If attacker get into the victim host whether breaks in or not, he can modify some contents,limits of authority or control this victim host to attack another host.
All of denial of services.
5. error message
Some unknown,bad or not-suspicious traffic
Original Classtype: Original priority
2. break in
5. error message
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs